26 lines
589 B
Text
26 lines
589 B
Text
|
rule CredStealESY : For CredStealer
|
|||
|
|
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
meta:
|
|||
|
|
|
|||
|
|
description = "Generic Rule to detect the CredStealer Malware"
|
|||
|
|
|
|||
|
|
author = "IsecG – McAfee Labs"
|
|||
|
|
|
|||
|
|
date = "2015/05/08"
|
|||
|
|
|
|||
|
|
reference = "https://securingtomorrow.mcafee.com/mcafee-labs/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign/"
|
|||
|
|
|
|||
|
|
strings:
|
|||
|
|
|
|||
|
|
$my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide //malware trying to get keyboard layout
|
|||
|
|
|
|||
|
|
$my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} //specific decryption module
|
|||
|
|
|
|||
|
|
condition:
|
|||
|
|
|
|||
|
|
$my_hex_string and $my_hex_string2
|
|||
|
|
|
|||
|
|
}
|